HCSI - HIPAA FORMS AND THEIR USES
(On your electronic version of the forms you may customize the forms to your practice by filling in the blue text areas with the office information it specifies)
- Access Flowchart
This chart is a tool to help practices understand the general flow of how patients and others can access their protected health information (PHI).
- Accounting for Disclosures Quick Reference
This form is a quick reference to help the Compliance Officer determine what must be logged on the “PHI Disclosure Log.”
- Acknowledgment Form
This form goes along with the “Notice of Privacy Practices” (NPP) form. All patients must sign this form after receiving a copy of the NPP (see “Notice of Privacy Practices” for more information).
- Approval/Denial of Request to Amend PHI
To be used by the Compliance Officer to approve the legitimate amendments that were requested, and deny the requests that have no merit.
- Approval of Request to Inspect or Copy PHI
This form goes along with the “Request to Inspect or Copy PHI.” It is used to approve the request from the patient to inspect or copy their protected health information.
- Billing Audit Form
To be used at least twice a year to audit billing practices to catch potential fraud, abuse, and to make sure the staff continually bills accurately. The auditor must randomly pull charts and audit the billing therein. The amount of files that need to be audited at a give time depends upon the size of the practice. On average, practices generally audit 8-10 files a session. Your main goal in this audit is to obtain a good sample of the billing personnel’s work to see if all is being honestly and accurately completed.
- Business Associate Agreement
This form is used by the covered entity to send to their business associates. This allows the business associate to enter into an agreement to handle all PHI received from the covered entity according to HIPAA rules and regulations. A business associate is a person or company who provides certain functions, activities, or services on behalf of a covered entity involving the use and/or disclosure of PHI and are not covered entities themselves.
- Business Associate Letter
This letter must be addressed to the business associated and is designed to introduce the Business Associate Agreement.
- Data Use Agreement
This is a written agreement between the covered entity and a business associate. This agreement enable the business associate to receive “limited data sets” from the covered entity for purposes of research, public health, or healthcare operations, as specified in the Data Use Agreement.
- Denial of Request to Inspect or Copy PHI
This form also is use along with the “Request to Inspect or Copy PHI” It is to deny any part of the request of the patient to view or copy their protected health information. If certain information is denied, the patient has the right to request a review of the denial, which is apart of this form.
Example: A patient wanted a copy of their medical record and there were psychotherapy notes, along with PHI that was gained from another source under a promise of confidentiality in the designated record set. The physician felt that it was not in the best interest of the patient to make that information available to the patient. He filled out the denial form denying access to the psychotherapy notes along with the other information that was to be kept confidential. Then he filled out the approval portion of the form to approve the records that were available for inspection or copying.
- Disclosures for Judicial & Administrative Proceedings (Flowchart)
This chart is a tool to help practices understand what documentation is required before they are allowed to release PHI for judicial or administrative proceedings such as order from the court, a subpoena, or other lawful process.
- Fax & E-mail Disclaimer
This disclaimer must precede every transmitted fax or e-mail to reasonably safeguard PHI if it is sent to the wrong location.
- Fax Log
Used to help protect practices from faxing errors by documenting faxes sent out and confirming fax numbers.
- HIPAA Compliance Training Log
This log is to be use by the Compliance Officer to document the practice’s ongoing training efforts. Training must be performed and documented no less than twice a year.
- HIPAA Complaint and Resolution Form
This form is to be used by the patient to submit to the office possible HIPAA breaches, and/or unauthorized disclosures of Protected Health Information (PHI).
- Notice of Privacy Practices (NPP) & Acknowledgment Form
Covered entities are required to give their patients a copy of the NPP no later then the first delivery of services. Providers must also make a good faith effort to obtain a written acknowledgment of receipt of the NPP (one time for each patient and place that acknowledgement in their permanent chart). If the acknowledgment is not obtained, document your good faith efforts to obtain such acknowledgement and the reason why the acknowledgment was not obtained. If there are any changes in the NPP, a covered entity must notify the patient and make the new NPP available if the patient wishes to obtain a copy.
- PHI Disclosures Log
This log is use to keep an accounting of disclosures that are not related to treatment, payment, or health care operations (TPO), disclosures to the individual, and other disclosures that are required by law. Look on the “Accounting for Disclosures Quick Reference” for a list of disclosure that must be logged.
- Privacy Audit Form
To be used at least twice a year to audit the confidentiality of patient medical records in your office to ensure compliance with HIPAA law. The auditor must randomly pull charts to audit them. The amount of charts that need to be audited at a time depends upon the size of the practice. On average, practices generally audit 8-10 charts a session. Remember that your main goal in this audit is to make sure that the office is properly protecting the confidential of patient charts.
- Privacy Complaint Form
This form is to be used by the patient to submit a complaint to The Office for Civil Rights (OCR) regarding possible HIPAA privacy violations performed by our practice or any other practice. If there is a complaint about our practice the Compliance Officer should first try to resolve the problem “in house” (using the “patient complaint and resolution form”) before it is sent to OCR. Only if the problem can not be resolve or if the patient is not satisfied with the resolution, the complaint should then be sent to OCR.
- Reasonable Safeguards Checklist and Audit Form
To be used at least twice a year to audit the practice to ensure that the proper safeguards are in place to protect the patients protected health information (PHI).
- Request for Accounting of PHI Disclosures
To be use by the patient to request a copy of any or all disclosures logged on their “PHI Disclosures Log.”
- Request for Confidential Communication of PHI
To be used by the patient to request that their PHI be sent to them in a alternate way. Patient usually request confidential communication because they believe that if their PHI got into the wrong hands they would be in danger, or they might just be very concerned about their privacy.
Examples: A patient might want you to send their health information to an alternate address, mail appointment reminders in an enclosed envelope instead of on a postcard, send mail to a post office box rather than at home, through e-mail, only contact them at work, etc. Covered entities must accommodate reasonable requests.
- Request for Restrictions
To be used by the patient to restrict uses or disclosures of their protected health information for treatment, payment, or health care operation purposes. Practices are not required to agree to unreasonable requests such as request that impede the proper delivery of healthcare, payment for services rendered, or disclosures require by law, etc.
- Request to Amend PHI
To be used by the patient to request an amendment to their PHI. If the patient feels that their record is not complete they can request an amendment, but it is up to the covered entity to decide if the amendment should be made. If the covered entity believes that the information is correct and accurate the covered entity is not required to make an amendment. Other requirements are stated on the actual form.
- Request to Inspect or Copy PHI
To be used by patients to request access to look at or obtain a copy of their PHI. As stated on the form, there is certain health information that can not be released.
- Request to Inspect or Copy Protected Health Information (Deceased)
To be use by the deceased patient’s legally authorized executor, who is otherwise legally authorized to act on the behalf of the deceased individual and/or his/her estate.
- Review of Denial to Permit Inspection or Copying of PHI
This form is to be used by the provider to inform patients that their denial to access has been reviewed and approved, or still remains denied. An individual that was not part of the first denial process must perform this review. To be able to review a denial decision, the information must be defined as “reviewable” under HIPAA law. If the information is defined as “unreviewable” it remains denied and there can be no review.
- Revocation of Authorization for Use and Disclosure of PHI
It is used to revoke, or in other words cancel the Standard Authorization form.
Example: A patient authorized her husband to be able to gain access to her health information, but now they are getting a divorce and she doesn’t want him to have access any longer. So she revoked the authorization using this form.
- Sign-in Sheet
This form is to be used to track patients coming in for their appointments.
- Standard Authorization of Use and Disclosure of PHI
The Standard Authorization is a customized document that gives covered entities permission to use specified PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. Example: Bob works all the time and is rarely home so it is very hard to contact him to let him know about his lab work, test results, etc. He wants his wife to be able to take care of those things. The nurse has him fill out the “Standard Authorization.” The nurse then makes a copy of it, giving the copy to the patient, keeping the original in the patient’s chart.
- Standard Authorization Checklist
To be used to check for required fields when receiving an authorization from another practice or from a third party to make sure the authorization is compliant with HIPAA law.
- TCS Checklist
This tool is to be use to help the Compliance Officer know what they must do to comply with the Transaction and Code Sets Standard.
- TCS Complaint Form
This form is to be used by the patient to submit a complaint to The Center for Medicare/Medicaid Services (CMS) regarding possible HIPAA Transaction and Code Set violations performed by our practice or any other practice. If there is a complaint about our practice, the Compliance Officer should first try to resolve the problem “in house” (using the “patient complaint and resolution form”) before it is sent to CMS. Only if the problem can not be resolve or if the patient is not satisfied with the resolution, the complaint should then be sent to CMS.
- Transaction and Code Sets Compliance Assurance
This form is to be signed by the practice’s software vendor and/or clearinghouse (those companies that deal with electronic transactions) to comply with the HIPAA TCS standard.
- Visitors Log
To be used to identify and keep track of visitors that do not have an appointment. Use also as a deterrent for suspicious individuals wandering around the practice.
Revised: 10/27/2017
Healthcare Compliance Solutions Inc. 4885 S. 900 E #305A Phone: (801) 947-0183
Salt Lake City, UT 84117 Fax: (801) 943-6658